iOS 6 fixes bug that sent iMessages to stolen iPhones

Rest assured: thieves won't get your texts—as long as you updated.

Apple has apparently quietly fixed a problematic bug in the iMessage protocol that resulted in the continued sending of iMessage data to iPhones that had been sold or stolen, even after they had been remotely wiped. According to The Next Web's sources, Apple rolled the fix out in iOS 6, so updated devices should no longer mistakenly receive what could be potentially intimate, private messages from friends or family.

We reported on the problem last December after Ars reader David Hovis discovered iMessages were being sent to his wife's stolen iPhone 4S. Despite remotely wiping the device and changing her Apple ID password, messages sent to Mrs. Hovis were also still going to the unsuspecting buyer of the purloined iPhone, even though that person had activated the device with a new number.

iOS security expert Jonathan Zdziarski speculated that once iOS devices were registered with Apple's iMessages servers, the UDID of the device may be cached along with the phone number or e-mail address associated with the device. The UDID would not change, even if the device was wiped and registered with a new phone number, so iMessages would still be pushed to that device.

Apple has implemented a number of additional checks on iMessage use in iOS 6. For instance, when you register a device with the iMessage system, you'll get an e-mail notifying you of the change. You'll also get push notifications to your other iOS devices.

Critically, according to The Next Web, iOS 6 requires users to reenter their Apple ID password whenever it is changed to continue to receive iMessages. So if your iPhone or other iOS device is stolen, you can change your Apple ID password and enter it on your replacement device (or re-enter it on other iOS devices) to keep iMessages coming your way. The stolen device will effectively be "de-registered" and won't be able to receive iMessages intended for you.

It's worth noting that devices that have not been updated to iOS 6 could still potentially be affected by the problem, assuming whoever ends up with the device also doesn't update iOS.

Promoted Comments

Is it me or is it slightly worrying that they seem to have implemented these changes at a client level, meaning that someone could by-pass them with custom software, instead of doing it properly and having the server refuse to send out messages once the phone has been wiped / unregistered?

Surely all of this is a backend thing and should not have any client component at all.

The point of push services is that the server can track the client without reauthentication, thus saving battery life. This assumes the client isn't compromised, otherwise the whole security model falls apart, because the server wouldn't know whether the client is compromised or not, because it doesn't need to reauthenticate every time the server contacts the client. The only way the server knows that the client is compromised is if the client forces a reauthentication, i.e. wrong password, so that the server knows that a once valid client is no longer valid.

EDIT: Another solution would be to have a list of approved devices somewhere. But maybe showing that list would be too technical for the average user that Apple might've decided to leave it out. Especially if that list would just be showing a bunch of UDIDs. No average user is going to know which UDID corresponds to which phone, tablet, or computer.